Where we disagree is that I do not consider the OAuth “loophole” to be a significant security hole, per my opening message of this Topic. SmartThings has bigger vulnerabilities that are not published.
6 Likes
I’m happy to find I can remove the access_token from the smarttiles URL and force a login screen.
However, this is a bit cumbersome and slow on iPad. I want to mount tablets on walls to control ST.
Would you consider implementing PIN type access like Evernote does on iPhone and iPad?
Entering a 4 digit PIN is not as secure as full login, but is quick and prevents casual access and pranks.
Great work on SmartTiles!
1 Like
Well, I’m glad to hear that SmartThings took my side of the great security vs convenience debate and finally decided to close the notorious non-loophole. 
Seriously, Geko? Your post is really not appropriate Community behavior.
The fact remains what I posted in my earlier response:
And again, I respectfully disagree. It is exactly those closed-source SmartApps that do not undergo official review process that present greater security risk, imho.
Security threat analysis is based on capabilities, not intentions. SmartApps have virtually unrestricted access to all resources and can cause real physical damage, whether intentional or not. Installing a closed-source SmartApp via OAuth process without being able to review it’s source code, or at least having SmartThings “stamp of approval” is a risk that every user should be aware of.
2 Likes
That’s my point… Amazon, IFTTT, InitialState and all other 3rd Party Services with “submitted/approved/Marketplace-published” SmartApps the capability to use these Endpoints in any way they wish, completely outside of the approval process.
The source-code of the web services end-point provider SmartApp only reveals the capabilities of the end-point, not the intentions of the Service Provider. If Amazon Echo’s end-point SmartApp offers the capability of locking and unlocking your doors, there is nothing to prevent Amazon from granting this capability to your local burglary syndicate.
1 Like
Thanks, JH… great reference material!
Indeed, @625alex and myself are very conscious of various types of security issues and professional industry vulnerability remediation protocols such as that which you referenced.
We are in already in secure communications with the designated appropriate SmartThings company channels regarding the concerns we have. They have been extremely cooperative and are conscious of reasonable “Responsible Disclosure”.
The precise determination and closing of security holes benefits all Customers and Partners of SmartThings (and SmartThings themselves, of course).
Despite my disagreement with the inaccurate summary of some particulars expressed by Geko; ensuring security and privacy for users of SmartTiles is a top priority for us. We are also keen to be outstanding “Community Citizens” in regards to public education and, as needed, holding everyone accountable to the highest standards.
2 Likes
Wow Terry, are you implying that Amazon is just a front for a bulglary syndicate? What about Google? Are they in the illicit drug trade? And I suppose Apple is supplying arms to all those pesky terrorists around the globe.
OH You jest, but you just have no idea how close your rhetorical queries here actually comes to reality.
The DOJ indicted cryptographers for publishing algorithms in the past for illegal arms exporting, these are fully legitimate well established folks in the industry, but this was a decade ago. Fast forward to today, now the DOJ is ramping up the rhetoric around encryption and other privacy protects to a fever pitch where it a political conversation. So yes, Apples is supplying arms to terrorists if you ask the DOJ.
That aside, I am a big fan of Open Source software for security reasons. But the entire security industry was turned upside down in the last 18 months when we all realized that our assumptions that Open Source = Secure because obviously the endless reviews of the code would uncover issues were false. OpenSSL/Heart Bleed for one, and a series of others fell one after another. We’re all rethinking our stances on this. The bottom line is there are pros and cons to each approach.
Choose to use smarttiles or not, but can’t say I’ve seen arguments for open source sway a closed source company to open the books up - it’s more you choose to use that software or not, not much more to be said. That’s the IP Owner’s choice at the end of the day.
I don’t trust Smarttiles anymore than I trust ST to control my locks. Both a bunch of untrustworthy bandits if you ask me. 
And even if you did trust them and the security of their systems, both are subject to being forced to do things they would otherwise not do by the government and possibly other actors. So I have security in layers and they are just but one part of a strategy.
1 Like
How enlightening. Well… I’m off to bed… in my concrete-reinforced underground bunker with my trusty Glock 19 under my pillow.
You really should get a rifle. Pistols are weak.
Not when you want to get in close and give that long goodnight kiss
1 Like
You are now safe, @geko, they did it just for you!
No, seriously, Terry and I welcome this change. A perception of security is as important as security itself.
1 Like
Not sure I agree with that. Perhaps from the perspective of someone that is selling a product that would be true. Nonetheless, I am glad ST fixed that issue.
I would love to see some specific dates set for the other vulnerabilities alluded to, but I have no such leverage as I am not privy to the vuln. If I were, I’d set a date with ST for disclosure.
As you probably know by know, SmartThings is notoriously slow to address bugs – many have existed for years.
From limited experience, we have the impression they move somewhat faster on security vulnerabilities – hopefully proportionate to the severity of the risk. One of our issues was quite promptly resolved and so we are optimistic about the others. Industry standards for disclosure are inconsistent in this regard; so we’re basing our escalation timeline on our knowledge of the scope of the issue(s) and on the level of transparency and communication we are receiving. But, rest assured, we have an escalation plan to use if necessary.
I think the point that the end user MUST explicitly choose which devices you want to grant the 3rd party access to puts the security risk ultimately in the consumer’s hands.
If you want your locks to be unlockable via a 3rd party, then grant access.
NO ACCESS to ANY DEVICE is ALLOWED unless YOU select it. PERIOD.
Yes, there are many known and undisclosed vulnerabilities in ST, along with the 3rd parties. No system connected to the internet is ultimately safe.
I welcome this change, pushed for it a long time ago. Glad to see the big players who were using this vulnerability are adapting to the change and that ST is also helping make this happen as easy as can be possible.
3 Likes
I suppose everything is subject to definition, and I appreciate the clarification portion of your post, Patrick, but I can’t stop protesting that the “shared OAuth” installation technique was not a significant “vulnerability”.
Every user who installed any SmartApp via this “backdoor” or whatever it was referred to, did so willingly and was not exposed to more general risk than an “approved Marketplace” SmartApp that the user granted access to the same Devices with one specific exception: The “shared” OAuth SmartApp would be vulnerable to modification by a malicious party who somehow gained unauthorized access to the Developer’s Account (via password guessing, for example). Even in this latter case, the malicious party would not gain any greater power over the user’s Devices or Account than the user had granted to the actual Developer.
The reason I reiterate this clarification is that there are thousands of SmartTiles installations which were and are no more and no less “vulnerable” after the “shared OAuth installation technique” is disabled at the end of this month.
Users of SmartTiles are encouraged to fully understand the specific degree of risk difference here so that they can choose to uninstall the current V5.x versions of SmartTiles they have installed if they have remaining concerns, and wish to wait indefinitely for the V6 release which will use the Marketplace published Connector SmartApp.
Each user of SmartTiles needs to make this informed decision with as accurate information as possible; hence this Topic’s purpose is to help figure out how to eliminate the confusion.
2 Likes